3com Vlans & WAP for multiple (20) offices and shared Internet

Posted on 2007-08-11
Last Modified: 2013-11-16
I need so help configuring a 3com 4500 switch and a watchguard X550e firewall to do the following:

The customer has an office building with 20 seperate business that need Internet access and VOIP capability. We are installing a mitel VOIP phone system for all offices as well.

We need to create a seperate Vlan for data (& connection to the Internet through the Watchguard Firewall) for each office. We would like to use the 3com's Auto oice VPN for the IP Phones. We will also be providing some hosted servers that the Data Vlans will need access to (A seperate "Server farm" Vlan).

The customer would also like to provide wireless access for each office as well as a Public (Open) WIFIi connection for the conference room. We will use 3 com 8760 WAPs for this, but I'm not sure how to get the appropriate wireless clients into their respective vlans. Is this even possiple?
Ideally all Vlan clients would get their IP address form the DHCP server in the watchguard, but Don't think the Watchguard can handle that.

Question by:mbriese
    LVL 32

    Expert Comment

    WG support VLANs with the following limitations:
    " You must have Fireware Pro installed on your Firebox [purchased seperately].
    " VLANs are supported from trusted and optional interfaces only. The external interface does not
    allow VLAN configuration.
    " WatchGuards VLAN implementation does not support the spanning tree link management
    " If your Firebox is configured with a drop-in configuration, you cannot use VLANs.
    " One Firebox physical interface can be an untagged VLAN member of only one VLAN. For
    example, if eth0 is an untagged member of a VLAN named VLAN-1, it cannot be an untagged
    member of a different VLAN at the same time.
    " A Firebox interface can send untagged data to only one VLAN.
    " A Firebox interface can receive untagged data frames for only one VLAN.
    " Your Firebox model and license controls the number of VLANs you can add to the Firebox. To see
    the number of VLANs you can add to your Firebox, use Policy Manager to select Setup >
    Licensed Features. Click the Active Features button and find the row labeled VLAN.

    All network segments you want to add to a VLAN must have IP addresses on the VLAN network.

    You need to use WG software version 9.0 for VLANs.

    You can configure the Firebox as a DHCP server for the computers on your VLAN network.
    1. Select the Use DHCP Server radio button to configure the Firebox as the DHCP server for your
    VLAN network.
    2. To add an IP address range, click Add and type the first and last IP addresses assigned for
    distribution. Click OK. You can configure a maximum of six address ranges.
    3. To reserve a specific IP address for a client, click Add next to the Reserved Addresses box. Enter a
    name for the reservation, the IP address you want to reserve, and the MAC address of the clients
    network card. Click OK.
    4. Use the arrow buttons next to Leasing Time to change the default lease time.

    Hope this helps. Please let me know if you need more details.

    Thank you.

    Author Comment

    That is some great information. With a need for 20 vlans all with DHCP assigned address and with the need for Internet access, it sounds like to firebox wiil not support this. What would you do to provide "private" networks to 20+ offices and share 1 Internt connection?
    LVL 32

    Expert Comment

    Well you have option to create secondary networks on one single interface in WG. So, theoretically you can create 20 secondary networks and then define VLAN for each one of them; normally when you create secondary networks as they are defined on one single port of the firewall device the traffic can flow between them. But in your case you would be defining VLANs and DHCP for each secondary network that you create so this should work.

    I am also not sure that with Fireware Pro when creating secondary networks if you get an option to define VLANs, I think you should get the option. If you do get an option for VLANs, I think then the setup you want should work.

    I have not tested this solution myself so didn't put it in the post earlier but I think it can be tried.

    Author Comment

    This is what I was thinking, however it appears that the firebox onl supports up to 6 DHCP scopes. I am also wondering how it would determine what Scope to pull the ip address for each vlan. Additionally I may be wron, but I think the firebox will provide routing between the secondary networks. If so is there a way to prevent this?

    LVL 32

    Accepted Solution

    The secondary networks are on the same physical interface and the traffic is allowed by default. I am not sure but I think we can define "Any" service to block traffic between the subnets [Again never worked on a scenario like this and don't have setup to test :(]. Something like:
    Policy->Denied; from,; to,

    If DHCP scope is a limitation then I do not think FB would suit your scenario. I think as we would associate each DHCP server according to VLAN and we specify IP as well while defining VLANs; this should help setting DHCP for one VLAN only but as I have not tried the scenario I am not sure.

    Frankly I am not sure how VLANs respond as far as WG is concerned.

    One solution is, If you put a router behind WG then WG would not do any VLAN and route management. You can configure the router as not to allow any traffic between the subnets and to respond to VLANs. On WG you can keep one subnet and one interface of router would be on the same subnet. For the other subnets you can define routes on the WG.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now